When participating in bug rebellions or penetration tests- it is extremely important to obtain as much information as possible about the purpose of your attack. We call this the reconnaissance phase. Sometimes interesting effects can be achieved by referting to old, forgotten or seemingly hidden domains, subdomains or IP addresses. Blind shooting in random subdomain names can be time consuming. It is worth to facilitate the task and use the PassiveTotal tool from RISKIQ. It was created to help analyze data related to suspicious network traffic. However, there is also information that we are looking for, i.e. a list of subdomains related to the domain we are interested in.
Tool to find at – PassiveTotal.